HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health Information


Published on

Lumension white paper - HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health Information

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA and Beyond - How to Effectively Safeguard Electronic Protected Health Information

  1. 1. HIPAA and Beyond How to Effectively Safeguard Electronic Protected Health Information Ben Rothke, CISSP PCI QSA August 4th, 2008
  2. 2. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information Introduction HIPAA Privacy Rule and Security Rule. The In the world of information security, well-defined Privacy Rule became effective in April 2003 and security programs are the forests, and regulations establishes regulations for the use and disclo- like HIPAA, SoX and PCI are the trees. And too sure of Protected Health Information (PHI). PHI many healthcare organizations mistake the forest is broadly defined as any information about the for the trees. health status, provision of health care, or pay- ment for health care that can be linked to an in- By way of analogy, one of the benefits of Social dividual. This is interpreted rather broadly and Security is SSI or Supplemental Security Income. includes any part of a patient’s medical record or The operative word is supplemental. Social Se- payment history1. curity is meant to augment your retirement, not be the main income source for your retirement. The HIPAA security rule was issued in February HIPAA is much like SSI and meant to supplement 2003 and complements the Privacy Rule. While your formal information security program. If you the Privacy Rule pertains to all PHI, including view HIPAA as the end-all of your information paper- and electronic-based, the Security Rule security and privacy program, you are in huge deals specifically with electronic PHI (EPHI) and trouble. lays out three types of security safeguards re- quired for compliance: administrative, physical This white paper will detail how to go beyond and technical. For each, the Rule identifies vari- HIPAA by showing how to use HIPAA as the ous security standards, and for each standard, it starting point for your security program, and then names both required and addressable implemen- using best practices and Lumension Security so- tation specifications. lutions to improve your overall security posture. Moving Beyond HIPAA HIPAA – Showing its Age HIPAA was created by non-security personnel, Imagine paying $1.25 for a gallon of gasoline. who likely could not differentiate between a fire- One would have to go all the way back to 1996 to wall and fire extinguisher. The outcome is that get that price. Going back to 1996 also takes us HIPAA lacks the depth and breadth on which to to the year when Congress enacted the Health build an information security program. If you build Insurance Portability and Accountability Act your security and privacy program with HIPAA (HIPAA). solely as its foundation, it will fail as HIPAA takes a myopic view of security and privacy with PHI HIPAA was created for health insurance reform being the center of its universe. But there is much and the streamlining of claims, and not about more to information security than PHI. security and privacy. Title I of HIPAA protects health insurance coverage for workers and their With that, covered entities2 (CE) must look be- families when they change or lose their jobs. Ti- yond HIPAA and focus globally if they want more tle II of HIPAA known as the Administrative Sim- than simply HIPAA compliance. plification provisions, requires the establishment of national standards for electronic health care While the intent of HIPAA was valorous, over a transactions and national identifiers for providers, decade has passed since its initial inception and health insurance plans, and employers. it has already begun to show its age. Organiza- tions that mistakenly look to HIPAA for their secu- Administration Simplification provisions also ad- rity infrastructure should stop being shortsighted dress the security and privacy of patient health and look forward. data. The HIPAA security and privacy rules are meant to improve the efficiency and effective- While HIPAA is a static regulation, CE’s exist in a ness of the nation’s health care system by en- dynamic IT world with new threats coming about couraging the widespread use of electronic data daily. When HIPAA first came out, vulnerability interchange in the US health care system. assessments, patching and configuration reme- diation were only typically performed quarterly at HIPAA Security and Privacy Rule best. Now with zero-day threats, lack of a de- Within Administration Simplification exists the fined network perimeter and focus on information
  3. 3. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information protection, the need for real-time patching and Using frameworks such as ISO-17799 or ITIL proactive endpoint and data protection is a basic helps CE’s by giving them a structure with which requirement. to protect their IT assets. Also, when an organi- zation decides to formally embrace a framework, The following steps in this white paper will show it sends a strong message of its commitment to you how to get that global view and how to move information security. beyond HIPAA for any CE. Within HIPAA, using a framework can be espe- Step 1 - Using a Framework for Security cially valuable as it can show others the depth of The healthcare industry doesn’t have a lack of your security program, and your overall commit- information security products at its disposal. ment to their security and privacy. As security Data centers are stocked full of racks of firewalls, is becoming a differentiating factor, the use of VPN’s, security appliances and much more. a framework can differentiate your organization While the underlying infrastructure is there, the from insecure ones. challenges CE’s face is making these products work together, to provide adequate security, and Step 2 – Risk Assessment to support their HIPAA compliance effort. The foundation of any information security pro- gram must be a formal and comprehensive risk By employing a well-developed, organized and assessment. If you don’t know your risks, you enforced set of security policies, and by under- have no idea of your security context, no idea of standing where your exposures reside, you will who your adversaries are, and in essence, you be better prepared for issues when they occur. are shooting in the security dark. CE’s that jump Organizations that do not define and enforce se- into doing information security without a compre- curity policies proactively are in for a rough time hensive and formal risk assessment end up do- when disaster strikes. Simply put, if your security ing a lot of security stuff, but don’t have much to infrastructure isn’t built on a solid foundation, it is show for it when all is said and done. To properly bound to collapse under the weight of increased protect your network, you need to create a matrix threats and vulnerabilities. By creating a security detailing the risks your organization faces, listing foundation, CE’s can easily deal with any new the level of the threat against the likelihood of it regulation. happening. This is especially true given the compliance 80/20 Once the risk assessment is complete, don’t rule. If you take all of the security and privacy make the mistake of attempting to quickly fix all regulations and combine them, there is roughly of the problems by creating a huge to-do list and an 80% commonality between them. The 80/20 then giving it to external consultants to complete. rules shows that having a core framework in The only way to effectively manage risk on en- place to deal with the 80% commonality means terprise networks is to approach the remediation that at worst an enterprise will only have 20% of process in a formal strategic manner - create de- the new regulation to deal with. tailed project plans under the control of an effec- tive project manager. That is where information security frameworks come into the picture. An information security The beauty of a risk assessment is that it tells framework contains the assumptions, concepts, you exactly what you need to worry about. If you risk values, and security practices underlying an don’t take this approach, you end up defending organization’s information security infrastructure. against murky hackers and vague threats from Frameworks such as ISO 270013 and 270024 somewhere. A formalized risk assessment gives and ITIL5 (IT Infrastructure Library) are needed you the knowledge to know who your enemy re- because current healthcare security projects are ally is; Sun Tzu would be proud. much more complex than those of years past. Frameworks provide the formal approach to se- A risk assessment is the ultimate commitment to curity, especially since too many CE’s take an ad HIPAA, as it shows that a CE isn’t simply trying to hoc approach to security, which is an abomina- take a rubber stamp approach to HIPAA, rather tion to every security professional. they are trying to get to the core of the security and privacy issues. More importantly, it shows
  4. 4. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information that a CE is focusing on the real threats, rather configuration consistency within your organiza- than on perceived external threats. tion. The benefits of Standard Operating Proce- dures (SOP) are immense and include: Step 3 – The 3 P’s • Standardize operations among divisions (Policy, Processes, Procedures) and departments CE’s need information security policies to ensure • Reduce confusion a safe and sound infrastructure. Security policies • Designate responsibility are often the first step in ensuring that corporate • Improve accountability of personnel assets are not squandered by some nefarious • Record the performance of all tasks and employees. Security policies are like fiber, that their results is, the kind you eat. Everyone agrees that fiber • Reduce costs is good for you, but no one really wants to eat it • Reduce liability - so too with information security policies. They are sorely needed, but most users don’t go out of There are many sources for SOP’s, some of their way to comply with them. And in many CE’s, which include: they are not even trained in what they have to do. • ISO 17799 But failure to have adequate information security • CoBIT policies can lead to myriad risks for a CE. • NIST 800 series • Standards for Security Categorization The centrality of information security policies of Federal Information and Information to virtually everything that happens in the infor- Systems (FIPS 199) mation security field is increasingly evident. For • ITIL example, system administrators cannot secure- ly and effectively install a firewall unless they Step 4 – Training and Awareness have received a set of clear information security Effective information security training and aware- policies. These policies will stipulate the type of ness effort can’t be initiated without first writing transmission services that should be permitted, information security policies which provide the how to authenticate the identities of users, and essential content for training and awareness ma- how to log security-relevant events. terials. Establishing clear expectations through an information security awareness program is a Similarly, an effective information security train- critical element of an effective and enforceable ing and awareness effort cannot be initiated with- set of policies. out first writing information security policies, be- cause policies provide the essential content upon Awareness is specifically required in HIPAA sec- which training and awareness material rely. It is tion § 164.308 Administrative safeguards, which for these reasons that every major regulation or states in section (5)(i) Standard: Security aware- standard relating to information security and/or ness and training. Implement a security aware- data privacy specifically requires written security ness and training program for all members of its policy documents. workforce (including management). A comprehensive set of security policies are re- So important is awareness that The Standard of quired to map abstract security concepts to the Good Practice for Information Security from the real world implementation of your security solu- Information Security Forum (ISF) writes that spe- tions as policy defines the aims and goals of the cific activities should be undertaken, such as a CE. security awareness program, to promote security awareness to all individuals who have access to Security processes can help a CE optimize their the information and systems of the organization, IT security infrastructure. The more complex an with the objective to ensure all relevant individu- organization’s IT security infrastructure becomes, als apply security controls and prevent important the more important it is to follow consistent and information used throughout the organization formal security operational processes and poli- from being compromised or disclosed to unau- cies. thorized individuals. Effective procedures ensure a standard level of The ISF defines security awareness as the ex-
  5. 5. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information tent to which staff understand the importance of Moving Beyond HIPAA information security, the level of security required Once you take care of the above fundamental by the organization and their individual security steps, go full-steam into HIPAA compliance. It responsibilities. is also important to do these steps before using a solution. But once that is done, Lumension’s One of the major problems with all information suite of proactive security solutions can help in security policies revolves around management your HIPAA program to ensure that confidential not knowing whether users have read and un- medical records, specifically patient health in- derstood the policies. If users have not read the formation, remain secure. policies, they may ignorantly do things that cause security problems, for example, opening a file Endpoints, especially ones that move on and sent as an email attachment without scanning the off the network, are extremely vulnerable to file with a virus detection package. If users have data threats as their configurations drift over read the policies, but not sufficiently understood time and not kept up-to-date with the latest them, they may do things that cause security anti-virus and operating system and application problems. patches. Add to this unmanaged removable media (podslurpers) and insecure applications, The true test of understanding would be obser- which together can easily open the floodgates vation in real-world working environments, but for data to escape into the wrong hands, wheth- that is too expensive for many CE’s. As the next er intentionally or accidentally. best thing, users can be tested to determine that they understood the policy, and if they pass a The fact that so many endpoints are infested quiz, then access privileges may be granted. For with spyware, keyloggers and other types of example, a worker who wanted to telecommute malware, which so easily compromise the in- could read the telecommuting security policy, tegrity and confidentiality of patient information, take a quiz, and get a passing score, at which should give any CIO pause. point management would authorize the user to gain access to the organization’s internal network Lumension Security’s Proactive Security Suite over the Internet using a virtual private network. ensures ePHI privacy by providing the neces- In sophisticated organizations, such privileges sary controls to manage the data flowing to and may be enabled automatically based on a quiz from network endpoints and by rapidly secur- delivered through an intranet computer-based ing endpoint configurations and patching and training system or software. remediating software vulnerabilities that could leave IT assets and sensitive data exposed. Some of these solutions include: Solution Benefits Lumension Security • Complete network-based scanning solution enables assessment and Vulnerability Management analysis of threats impacting all network devices. • Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks. • Out-of-the-box regulatory and standards-based assessment to ensure endpoints are properly configured. • Custom remediation capabilities to address configuration issues, remove unauthorized files and applications, address zero-day threats, patch custom software and more. Lumension Security Policy-based enforcement of application use to secure your endpoints from Endpoint Protection malware, spyware and unwanted or unlicensed software. Lumension Security Policy-based enforcement of removable device use to control the flow of Data Protection inbound and outbound data from your endpoints. Lumension Security Robust data warehouse that enables easy creation and sharing of reports on Reporting and Compliance all aspects of your security efforts in support of policy compliance.
  6. 6. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information The following table lists just some of the many benefits in which Lumension Security’s Proactive Security Suite helps CE’s: Main Benefit Other Benefits Comply with HIPAA • Reduce the risk of ePHI from being improperly disclosed requirements for safeguarding • Prove compliance with HIPAA by providing a detailed audit trail of all the integrity and availability of device and application execution attempts, by tracking data that is copied ePHI to and from removable devices and by controlling what data is allowed to be copied to a device at the file level • Patch and remediate vulnerabilities before they can be exploited to access ePHI • Control and monitor the flow of inbound and outbound ePHI with removable media and devices • Identify organizational security holes in the protection of ePHI through comprehensive auditing capabilities Prevent malware execution • Protect against network security breaches where ePHI could be exposed originating at an endpoint to fraud • Enable the transmission, integrity, confidentiality and retention of ePHI without disruption, corruption or loss Improve IT system performance • Prevent unwanted applications and devices from burdening network bandwidth • Enable faster computing resources on network, laptops and PCs • Maintain PCs’ performance as new with configurations remaining stable Reduce endpoint security TCO • Minimize security or HIPAA compliance crisis response • Remediate vulnerabilities more quickly and with fewer required resources Improve end user productivity • Block unwanted, non-business applications • Enforce policy to ensure endpoints run as expected Conclusion Security and the protection of PHI is more than just firewalls and encryption. By having this broad ap- proach, and rising above the minimal protection that HIPAA offers, CE’s can ensure that they are HIPAA compliant not only with the letter of the law, but more importantly, the spirit of the law.
  7. 7. HIPAA and Beyond: How to Effectively Safeguard Electronic Protected Health Information About the Author Ben Rothke CISSP, PCI QSA (ben@rothke.com) is a New York based Security Consultant and the author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill, 2006). About Lumension Security™ Lumension Security™, formed by the combination of PatchLink® Corporation and SecureWave® S.A., is a recognized, global security management company, providing unified protection and control of enterprise endpoints for more than 5,100 customers and 14 million nodes worldwide. Leveraging its proven Proactive Security Model, Lumension Security enables organizations to effectively manage risk at the endpoint by delivering best-of-breed, policy-based solutions that simplify the entire security management lifecycle. This includes Vulnerability Management, Endpoint Protection, Data Protection and Reporting Compliance. Headquartered in Scottsdale, Arizona, Lumension has offices worldwide, including Virginia, Florida, Lux- embourg, the United Kingdom, Spain, Australia, Hong Kong and Singapore. Lumension Security™, Inc. 15580 N. Greenway-Hayden Loop, Suite 100 Scottsdale, AZ 85260 www.lumension.com Footnotes: 1. This is due in part since it is relatively easy to correlate unrelated data. 2. Any organization that routinely handles protected health information in any capacity is in all probability a covered entity. 3. ISO/IEC 27001 is the formal standard against which organizations may seek independent certification of their Information Security Management Systems (meaning their frameworks to design, implement, manage, maintain and enforce information security processes and controls systematically and consistently throughout the organizations). 4. ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are re- sponsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). 5. ITIL is a customizable framework of best practices designed to promote quality computing services in the information technol- ogy sector.